b"REVIEW OF DOS CONTROLS OVER THE SHARP SYSTEM\n\n\n\n\n             Audit Report No. 00-017\n                  May 22, 2000\n\n\n\n\n              OFFICE OF AUDITS\n\n      OFFICE OF INSPECTOR GENERAL\n\x0cFederal Deposit Insurance Corporation                                                        Office of Audits\nWashington, D.C. 20434                                                           Office of Inspector General\n\n\n\n   DATE:                         May 22, 2000\n\n   MEMORANDUM TO:                James L. Sexton, Director\n                                 Division of Supervision\n\n\n\n   FROM:                         David H. Loewenstein\n                                 Assistant Inspector General\n\n   SUBJECT:                      Review of DOS Controls over the SHARP System\n                                 (Audit Report No. 00-017)\n\n\n   The Federal Deposit Insurance Corporation\xe2\x80\x99s (FDIC) Office of Inspector General (OIG) has\n   completed its review of the Division of Supervision\xe2\x80\x99s (DOS) controls over the reliability of the\n   Scheduling, Hours, And Reporting Package (SHARP) system. We have also reviewed the\n   Division of Compliance and Consumer Affairs\xe2\x80\x99 (DCA) controls over SHARP, which are\n   addressed in a separate report to DCA.\n\n\n   BACKGROUND\n\n   The SHARP system is a computerized scheduling, hours, and reporting tracking system. It has\n   been developed for DOS and DCA to standardize the process of collecting and reporting hours\n   utilization information for examiners.\n\n   DOS employees are responsible for recording their own hours in SHARP. Within the system,\n   hours are allocated by activity codes according to the type of task performed. Such tasks include,\n   for example, bank examinations, training, and travel. For bank examinations, hours can be\n   allocated by specific examinations and by various kinds of examination activities. In addition,\n   hours that examiners work inside a bank can be differentiated from those worked outside the\n   bank. The system also tracks hours by office codes, which allows for hours to be reported by\n   office, including detail assignments. Once the employees have entered their hours on their\n   computer, they upload the data to a central database.\n\n   DOS management uses SHARP information for examination management and budget purposes,\n   analyzing and tracking examination time spent, and projecting future staffing needs.\n\n\n   OBJECTIVES, SCOPE, AND METHODOLOGY\n\n   Our objectives were to determine whether the SHARP system as used by DOS (1) has proper\n   internal controls in place and (2) generates accurate and reliable information. We reviewed\n\x0cSHARP data for the months of May and September 1999 and DOS Regional Office Reviews from\nJanuary 1998 through June 1999.\n\nWe performed fieldwork in the DOS Washington, D.C., headquarters office. We focused our\nreview on the internal controls in place and the system\xe2\x80\x99s ability to generate accurate and reliable\ndata. We obtained and reviewed the SHARP User Manual and DOS Regional Office Reviews.\nWe judgmentally selected SHARP hours reports for May 1999 and September 1999 for review.\nWe interviewed the DOS SHARP system liaison, DOS management and staff, and the Division of\nInformation Resources Management (DIRM) project manager for SHARP. The review was\nconducted in accordance with generally accepted government auditing standards. Our review was\nperformed from October 1999 through February 2000.\n\n\nRESULTS OF REVIEW\n\nOverall, the SHARP system generally meets the needs of DOS examiners and management. DOS\nregional office reviews check the reliability of the SHARP data on a periodic basis. However, during\nour review we noted some controls that should be strengthened over the data in the SHARP system to\nensure data integrity and reliability. These controls relate to the input and review of employee hours\nand the prevention of data alteration.\n\nWe attempted to test the system\xe2\x80\x99s data integrity to determine whether the system generates accurate\nand reliable data. However, due to the internal control weaknesses noted above, we decided to\npostpone further testing until a future audit is conducted, once the internal controls have been\nstrengthened. Our results are discussed in more detail below.\n\n\nINPUT AND REVIEW OF EMPLOYEE HOURS\n\nAccording to the SHARP User Manual, all examiners should enter their record of hours worked into\nthe SHARP system \xe2\x80\x9con a daily basis if possible. In this way, the data will have the highest degree of\naccuracy. If hours cannot be entered daily, they should be entered as often as possible.\xe2\x80\x9d\n\nDuring its regional office reviews in 1998, DOS headquarters identified problems with the SHARP\ndata in two regions. In both regions, DOS identified employees who had entered time in excess of or\nunder the required 80 hours per pay period. In one region, six employees had been identified as not\nentering data in the SHARP system at all for the weeks reviewed.\n\nIn 1999, DOS headquarters identified problems related to SHARP data in two other regional office\nreviews. One common problem identified was that users were not consistently reporting hours and\naccounting codes. Also, DOS headquarters staff noted discrepancies between employee hours entered\nin the SHARP system and hours entered for time and attendance reporting.\n\nTimely and accurate data entry is an important practice when tracking time charges to specific\nexaminations. At the end of an examination, DOS generates a report from the SHARP system, the\nPage A Report, which details the hours by examiner, grade, activity, and division. In addition,\n\n\n                                                   2\n\x0cexamination hours spent inside the bank and outside the bank are identified separately. DOS uses this\ninformation to establish benchmarks for subsequent examinations and to plan for resource levels\nneeded to complete its workload. If the Page A Report is generated and examiners either have not\nentered their time charges into SHARP or have entered them incorrectly, the Page A Report will not\naccurately reflect resources devoted to the examination.\n\nThrough interviews with DOS management in Washington, we also identified that examiners-in-\ncharge, field office supervisors, and regional managers are not required to review or approve examiner\ntime charges on a regular basis. We were told that examiners-in-charge are conscious of hours\ncharged to their examinations (as the hours appear on the Page A Report) and that they would be alert\nto any major discrepancies that occurred.\n\nA review of the Page A Report alone does not provide assurance that all the hours entered in SHARP\nare accurate, because the Page A Report captures data associated with examination activities only. It\ndoes not identify hours for non-examination activities, such as annual leave and training. Therefore, we\nbelieve that reviewing the Page A Report does not provide the assurance needed to rely on the data in\nthe SHARP system.\n\n\nPREVENTION OF DATA ALTERATION\n\nDuring our review we found that employees are able to change their hours in the SHARP database.\nThe ability to alter time charges raises concerns over the reliability of data in management reports.\n\nIf changes are made to the SHARP data, the SHARP system does not retain the previous date(s) when\nhours were entered into the system; it also does not track the sources of subsequent data changes.\nConsequently, if changes are made several times, there is no audit trail to determine when the previous\nchanges were made. The SHARP system does include a date when data is entered, but the date\nchanges each time an employee corrects a data record. Consequently, the date retained in the system is\nthe last date when an employee updated the record.\n\nWe reviewed a sample of time charge records for employees in one DOS regional office for May 1999.\n The SHARP report showed that users entered the system from August through December 1999 and\naccessed May 1999 time charges for 6 out of 269 employees. The system does not track whether the\ntime charges for the 6 employees had been altered or not. However, we believe it should be rare for\ntime charges to be accessed 3 to 7 months after the pay period end.\n\n\nCONCLUSION AND RECOMMENDATIONS\n\nWe believe that DOS needs to strengthen its controls to provide a higher level of reliability for the\nSHARP data. We believe that improved controls would not require extensive DOS resources, and that\nthose controls would enhance the reliability of management reports. Because SHARP is relied upon to\ntrack DOS\xe2\x80\x99s workload and to help plan for future resources, we believe DOS should take action to\naddress the control weaknesses we identified.\n\n\n\n                                                   3\n\x0cAccordingly, to increase the reliability of management reports generated by the SHARP system, we\nrecommend that the Director, DOS:\n\n(1) Instruct examiners to complete their time charges on a daily basis, or as frequently as possible, as\n    required by the SHARP User Manual;\n\n(2) Require examiners-in-charge and/or field office supervisors to review time charges on a regular\n    basis for accuracy;\n\n(3) Pursue with DIRM the possibility of changing the SHARP system to lock in time charges after a\n    certain period of time, or some other method of limiting the ability to change data; and\n\n(4) Pursue with DIRM the possibility of retaining the original date that data is entered into SHARP in\n    addition to the currently maintained date of last entry or access.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn April 14, 2000, the Director, DOS, provided a written response to the draft report. The response is\npresented in Appendix I of this report.\n\nManagement agreed with all of the recommendations. Corrective actions will be implemented by the\nend of the second quarter of 2000 for recommendation 1 and by the end of the third quarter of 2000\nfor recommendations 2 and 3. With regards to recommendation 4, DOS has contacted DIRM to\ndiscuss financially viable options to retain the original date as well as retaining the most recent date data\nis entered in SHARP. DOS management stated that \xe2\x80\x9ccreating a full audit trail would be prohibitively\ncostly since it would require a major redesign of the software.\xe2\x80\x9d DOS also stated in its letter that\n\xe2\x80\x9cDIRM will continue to look at alternative methods of either capturing and retaining the original date\nor other methods of better tracking user changes. \xe2\x80\xa6This issue can be re-addressed at subsequent\nbudget periods.\xe2\x80\x9d\n\nThe Corporation\xe2\x80\x99s response provided us with the requisite elements of a management decision for all\nrecommendations. The Director, DOS, agreed to take action on our recommendations. We concur\nwith and accept management\xe2\x80\x99s response to the recommendations.\n\n\n\n\n                                                     4\n\x0c                                                                                             APPENDIX I\nFederal Deposit Insurance Corporation\n550 17th Street, NW, Washington, DC 20429                                        Division of Supervision\n\n\n\n                                                 April 14, 2000\n\nTO:                  David H. Loewenstein, Assistant Inspector General\n                     OIG Office of Audits\n\n\n\n\nFROM:                James L. Sexton, Director\n                     Division of Supervision\n\nSUBJECT:             Response to Draft Report Entitled Review of DOS Controls over the SHARP\n                     System\n\n\nThank you for the opportunity to comment on your draft report Review of DOS Controls over the\nSHARP System. As requested in your memorandum dated March 20, 2000, we are presenting our\nresponse to the OIG's Office of Audits recommendations contained in the aforementioned report both\nin hard copy and electronic format.\n\nRecommendation 1 - Instruct examiners to complete their time charges on a daily basis, or as\nfrequently as possible, as required by the SHARP User Manual.\n\nDOS believes it is unnecessary to require examiners to enter their hours information into SHARP on a\ndaily basis. Activities must be reported on a day-by-day basis, but not necessarily entered every day.\nThe examiners travel frequently and it is often not convenient for them to enter SHARP data daily.\nWhile the more frequent the data entry, the less likely it is that activities will be forgotten or coded\nincorrectly, daily entry is often not feasible or practical. Therefore, the SHARP User Manual is being\nrevised to instruct staff to enter hours as often as possible, but not less than every two weeks. The\nchanges to the User Manual are currently undergoing the approval process. Once approved, the\nelectronic version of the Manual will be updated on the SHARP Intranet Web page. We expect this\nprocess to be finished by the end of second quarter, 2000. DOS will notify SHARP users, as well as\nthe OIG, once the electronic Manual is updated.\n\nRecommendation 2 - Require examiners-in-charge and/or field office supervisors to review time\ncharges on a regular basis for accuracy.\n\nWe agree with the OIG that the data entered into SHARP needs to be reviewed for accuracy. As part\nof the SHARP User Manual update, statements will be added that instruct examiners-in-charge to\nreview hours data on the Page A Workpaper for reasonableness. As stated above, DOS will notify the\n\n\n                                                       5\n\x0cOIG when the electronic Manual is updated.\n\nIn the next SHARP guidance memo DOS develops, a statement will be included that expresses the\nnecessity and importance of data integrity, and that time charges are to be reviewed by the Field Office\nSupervisor and/or others for accuracy. Field Office audit procedures will address the need for SHARP\nreview. DOS will include the OIG on the distribution list of the next guidance memo, which is\nexpected to be developed and distributed by the end of the third quarter, 2000.\n\nAdditional guidance will be given to the Regional Directors stressing the importance of reviewing the\naccuracy of the SHARP data. DOS will include the OIG on the distribution list of this memo.\n\nRecommendation 3 - Pursue with DIRM the possibility of changing the SHARP system to lock\nin time charges after a certain period of time, or some other method of limiting the ability to\nchange data.\n\nThe OIG draft report states that the records sampled from one DOS regional office showed six\nemployees had accessed their time charges that were three or more months old. However, DOS\ndoesn't believe that employees' altering their time charges is necessarily a negative occurrence. There\nwere numerous reviews of SHARP data by Washington and regional staff during 1999 and when\nerrors or questions are found, the involved user was notified and requested to review and change the\ndata if needed. Many of these reviews were conducted at quarter- and year-end resulting in extended\nperiods before the user actually made the change. DOS expected employees to review their hours\ncharged throughout 1999 and to make corrections where necessary so that hours data could be\nreported accurately.\n\nThe SHARP system does not currently have an audit trail system that tracks changes made to the data.\n DCA and DOS met with DIRM to discuss financially viable options for locking in data and limiting the\nability to change data. The software will be revised to limit the length of time that a user can go back\nto and make changes or entries. Users will now be allowed to make entries and changes for the 180\nday period preceding the current date. This timeframe will allow review of uploaded data by audit and\nmanagement groups, who can then request that users make necessary corrections. Any changes to\nearlier dates will have to go through the SHARP Administrator and be documented. If a user attempts\nto upload a change to an earlier date, a warning message will be provided and the data captured in an\nexception report. This exception report can then be provided to the SHARP Administrator, with\nexplanation, for processing.\n\nDOS will notify SHARP users, as well as the OIG, via memorandum once the limitation on the\nSHARP system is in place. DIRM anticipates that this change can be made to the software by the end\nof third quarter, 2000.\n\nRecommendation 4 - Pursue with DIRM the possibility of retaining the original date that data\nare entered into SHARP in addition to the currently maintained date of last entry or access.\n\nDCA and DOS met with DIRM to discuss financially viable options to retain the original date data are\nentered as well as the most recent date data are entered into SHARP. A cost analysis indicated that\ncreating a full audit trail would be prohibitively costly since it would require a major redesign of the\n\n\n                                                   6\n\x0csoftware. When a change is made to an entry, the entire record for that date is replaced with the\nrevised record and retaining the original date would require creating a temporary record to store the\ndate, then adding it to the new record. This would also slow the process of uploading data to the\nserver. DIRM will continue to look at alternative methods of either capturing and retaining the original\ndate or other methods of better tracking user changes. The addition of the 180 day entry limitation and\nincreased review of the data should help in reducing concerns about changes to the data. This issue\ncan be re-addressed at subsequent budget periods, however at this point it would be difficult to justify\nthe expenditure required to implement this change.\n\nIf you have any questions, please contact Deborah Boone, (202) 898-6954.\n\n\n\n\n                                                   7\n\x0c                                                                                                                                                                 APPENDIX II\n                                                            MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its semiannual reports to the Congress. To\nconsider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several conditions are necessary. First, the response must describe for each\nrecommendation\n         \xc2\xa7   the specific corrective actions already taken, if applicable;\n         \xc2\xa7   corrective actions to be taken together with the expected completion dates for their implementation; and\n         \xc2\xa7   documentation that will confirm completion of corrective actions.\n\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any disagreement. In the case of\nquestioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\n\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation confirming completion of corrective\nactions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The information for management\ndecisions is based on management\xe2\x80\x99s written response to our report.\n                                                                                                         Documentation That                          Management\n   Rec.                                                                            Expected                  Will Confirm            Monetary       Decision: Yes or\n Number                 Corrective Action: Taken or Planned/Status             Completion Date                Final Action            Benefits             No\n                                                                                                            SHARP User Manual\n              The SHARP User Manual is being revised to instruct staff to                                                                 Not\n     1                                                                               Quarter 2, 2000        SHARP Intranet Web                                Yes\n              enter hours as often as possible, but at least every two weeks.                                                          Quantifiable\n                                                                                                                 Page\n              DOS has updated the Sharp User Manual with instructions to\n              examiners-in-charge to review hours on the Page A Workpaper\n              for reasonableness. In the next SHARP guidance memo, a                                       Copy of guidance memo          Not\n     2                                                                               Quarter 3, 2000                                                          Yes\n              statement will be included that expresses the necessity and                                    provided to all staff     Quantifiable\n              importance that time charges are reviewed by the Field Office\n              Supervisor for accuracy.\n                                                                                                               Copy of SHARP\n              DIRM will revise software to limit the length of time that a user                                                           Not\n     3                                                                               Quarter 3, 2000        limitation memo to all                            Yes\n              can go back to make changes or entries.                                                                                  Quantifiable\n                                                                                                                     staff\n              DOS and DCA met with DIRM to discuss financially viable\n              options to retain the original date data are entered as well as the\n              most recent date data are entered into SHARP and determined                                  Management\xe2\x80\x99s response\n                                                                                                                                          Not\n     4        that creating a full audit trail would be prohibitively costly.               N/A            to the draft report dated                          Yes\n                                                                                                                                       Quantifiable\n              DIRM will continue to look at alternative methods of either                                           4/14/00\n              capturing and retaining the original date or other methods of\n              better tracking user changes.\n\n\n                                                                                        8\n\x0c"